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Executive Summary 


Enterprise organizations continue to face a range of cyber-threats including high volumes of generic malware, attacks on 
vulnerable software, and sophisticated custom exploits built for specific targeted attacks. When facing this type of threat 
landscape, ClSOs need the right tools in the right places across all network segments. The white paper concludes: 


Organizations are investing in networksecurity. Most organizations are increasing cybersecurity spending in 2017, 
regardless of their size, location, and industry. The biggest area of investment? Network security. CISOs continue to 
build layered defenses with a combination of network appliances, host-based controls, and virtual network security 
software deployed throughout the network. 


Next-generation firewalls (NGFWs) come with promises and compromises. Most organizations have two specific security 
objectives: Improve threat prevention/detection efficacy while streamlining security operations. These goals seem to 
align well with NGFWs that consolidate multiple security services onto a single perimeter appliance. Unfortunately, 
NGFWs come with tradeoffs, especially in areas like network performance and depth of threat protection coverage. 
For many enterprise ClSOs, these limitations tend to dismiss an NGFW-only strategy, encouraging comprehensive and 
complementary networks security controls deployed in multiple places across the network. 


Layered network defenses and standalone next-generation intrusion prevention systems (NGIPSs) still make sense. 

CISOs looking for comprehensive network security protection continue to opt for defense-in-depth, anchored by fixed 
function network security tools like standalone NGIPSs. In fact, leading NGIPSs, like those from Trend Micro 
TippingPoint, can enhance threat protection, streamline operations by integrating with other security tools, and 
support the division of labor between security and network operations teams. Given these benefits, many enterprise 
organizations are investing in, rather than eliminating, NGIPSs. 


Dynamic Changes in Network Security 


According to ESG research, 69% of organizations are increasing their soending on cybersecurity products and services in 
2017. Cybersecurity investments will occur in a number of areas, but it is noteworthy that network security spending tops 
the list—39% of organizations will make their most significant cybersecurity investments in network security over the next 
12 to 18 months (see Figure 1). 


1 Source: ESG Research Report, 2017 IT Spending Intentions Survey, March 2017. All ESG research references and charts in this white paper have 
been taken from this research report unless otherwise noted. 
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Figure 1. Top Six Most Significant Areas of Cybersecurity Investment 





We would like to learn more about your specific spending plans for cybersecurity. In which of 
the following areas will your organization make the most significant investments over the next 
12-18 months? (Percent of respondents, N=418, five responses accepted) 


Network security Sa a 39% 
Endpoint security ers) 30% 
Security analytics EE 29% 
Cloud application security PO 25% 
Information assurance TTF | 25% 
Identity and access management D) 25% 





Source: Enterprise Strategy Group, 2017 


CISOs will increase network security spending because: 


Network scale and complexity challenge traditional controls. Core networks run at 40 Gbps or even 100 Gbps 
throughput, and security controls can’t bottleneck mission-critical traffic. This can be especially difficult since 40% or 
more network traffic is encrypted, so network security must include processing power to decrypt and inspect this 
encrypted traffic. Additionally, many organizations are embracing new digital transformation applications that often 
include new types of loT devices. In aggregate, there are more traffic, more devices, and more connections every day. 
Network security tools must have the ability to keep up with traffic flows while blocking or detecting threats in real 
time. 


Use cases are proliferating. Network security used to be synonymous with perimeter security devices—bastion 
servers, firewalls, gateways, etc.—but this is no longer true. Beyond the perimeter, network security use cases now 
include protecting data center networks, core networks, and even cloud networks. Large organizations need tools for 
network segmentation, threat detection, and security monitoring on the network from end to end. 


Cybersecurity departments tend to be understaffed and under-skilled. According to ESG research, 45% of organizations 
report that they have a problematic shortage of cybersecurity skills today. Unfortunately, this means that they don’t 
have enough cybersecurity staff members, and those that they do have may not have the right skills or experience 
needed for risk mitigation or incident response. To counteract skills deficiencies, many CISOs are looking for new 
types of network security controls offering greater intelligence, automation, and continuous monitoring of network 
traffic. 


Organizations are vulnerable to advanced cyber-threats. According to a recently published ESG research report done in 
collaboration with the Information Systems Security Association (ISSA), 45% of cybersecurity professionals believe 
that most organizations are extremely vulnerable to a significant cyber-attack or data breach, while another 47% 
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believe that most organizations are somewhat vulnerable to these types of security events.* Why? Cyber-adversaries 
are constantly developing and collaborating on new types of cyber-weapons to launch stealthy targeted attacks on 
their victims. On the defensive side, many firms find they spend much of their time responding to emergency events 
and precious little time with more proactive security measures. CISOs want to bank on modern network security 
controls and work with high-IQ vendors who continuously research and follow cybercriminals in order to develop and 
maintain the best possible network security controls. 


Network Security Requirements 


The ESG research indicates that ClISOs are poised to spend on network security to support a growing list of high-priority 
requirements. New network security technology must: 


e Support business and IT requirements. In other words, network security controls can’t bottleneck new types of 
digital transformation applications or IT initiatives. Rather, network security must remain transparent to business 
operations while supporting new types of applications, business processes, and a variety of IT initiatives including 
cloud computing, mobility, loT, etc. 


e Increase security efficacy for incident prevention and detection. CISOs are investing in new tools that offer better 
protection against targeted attacks based upon O-day vulnerabilities or polymorphic malware. 


e Enhance network security telemetry. SOC analysts want to collect, process, analyze, and store terabytes of network 
telemetry in order to detect anomalous behavior, query real-time security data, and perform retrospective 
investigations to detect low-and-slow attacks. In this way, security analysts hope to have better visibility across the 
entire kill chain. 


e Streamline operations. To address the cybersecurity skills shortage, CISOs know they need to acquire network 
security tools with multiple threat detection technologies that can decrease false positive alerts and ease the 
investigations burden on infosec staff. Furthermore, network security tools must be designed for integration and 
help cybersecurity teams automate existing manual processes. 


It’s worth noting that while CISOs have budget dollars to spend on network security, they also face increased scrutiny from 
CEOs and corporate boards who expect a return on their network security investments. This means that ClSOs must deliver 
sound metrics demonstrating that network security investments actually provide quantifiable improvements for all of the 
requirements highlighted above. Given this responsibility, CISOs must not compromise on network security packaging or 
functionality. Rather, they should look for solutions that provide measurable benefits in all areas. 


Enterprise Network Security Still Demands a Layered Approach 


Certainly, existing network security controls have become less efficient and effective over time, so changes and new 
investments are necessary. In the past, this meant adding new types of network security technologies to create a defense- 
in-depth architecture where different tools build upon one another to decrease the attack surface, block malicious activity, 
or use complementary technologies for threat detection. 


Of course, there are various ways to build defense-in-depth network security. One approach is to package multiple security 
functions into a single tightly integrated appliance that sits inline on the network, usually at the network perimeter. 


2 Source: ESG/ISSA Research Report, Through the Eyes of Cyber Security Professionals: Annual Research Report (Part Il), December 2016. 
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Next-generation firewalls fit this type of profile, as Wikipedia defines the term “next-generation firewall” as follows: 


A Next-Generation Firewall is an integrated network platform that is a part of the third generation of firewall technology, 
combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in- 
line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such 
as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection and third- 
party identity management integration (i.e. LDAP, RADIUS, Active Directory). 


In the context of this definition, NGFWs seem like they would be a good fit for the burgeoning network security 
requirements described previously. After all, NGFWs provide lots of integrated network security functionality in a single 
hardware appliance. Vendors often claim that this packaging creates a situation where security functions complement one 
another, increasing malware detection rates and blocking attacks at the network perimeter. Furthermore, NGFWs can 
consolidate management through a single portal, streamlining operations in the process. 


In theory, these are worthwhile NGFW features that can be beneficial for the right type of organization. This is especially 
true for smaller organizations or those that equate network security with regulatory compliance mandates. Unfortunately, 
this isn’t always the case, especially for large organizations with complex global networks. NGFWs can be a mismatch 
because enterprise organizations: 


Need maximum network performance. While NGFWs are designed for high-performance networks, system resources 
tend to be dedicated to streaming packets for stateful firewalling. When additional network security services (i.e., 
IDS/IPS, AV, SSL decryption, web threat management, etc.) are enabled, however, NGFWs are faced with a variety of 
workloads with different computational needs. In some cases, NGFWs simply drop packets or apply all available 
resources to core firewalling needs, minimizing additional security services. When resources are allocated to security 
services beyond layer 3-4 firewalling, overall system performance tends to degrade rapidly, turning NGFWs into a 
network throughput bottleneck. Enterprise organizations have little patience for NGFWs when this type of 
performance degradation impedes applications, impacts business processes, and disrupts user productivity. 


Face targeted threats. To keep up with network throughput, NGFWs use streaming technology to inspect packets as 
they move from one network segment to another. While this design may meet performance requirements, it 
sacrifices more thorough inspection of network content. For example, NGFWs tend to offer multiple types of built-in 
filters like IPS signatures and reputation scoring. While these filters may block pedestrian network-based intrusions, 
they are no match for polymorphic malware and obfuscation techniques employed by sophisticated cyber- 
adversaries. Furthermore, since NGFWs are generally deployed at the network perimeter, they remain completely 
blind to malicious network behavior such as network scanning and lateral movement from one network node to 
another or within network segments themselves. Enterprise ClSOs realize that no single appliance can deliver the 
level of comprehensive protection, network coverage, or visibility they need to protect their organizations. 


Employ separation of duties between security and network operations teams. While security and network operations 
teams collaborate on network security, they have fundamentally different missions. The security staff focuses on 
mitigating risk and rapid incident response while networking concentrates on maintaining network throughput and 
uptime. These disparate goals can lead to problems with NGFW management. To respond to dynamic types of 
threats, security teams need the ability to update configurations and create new rules in real time. This behavior 
tends to be antithetical to the network operations goal of maintaining a stable network when performance and 
throughput are meeting SLAs. Given this separation of duties model, most organizations designate NGFWs as 
networking equipment and minimize configuration changes while simultaneously refining network security controls 
with other types of devices. Given this situation, NGFWs can be limited in their ability to react quickly to network 
attacks. 
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May consider NGFWs overkill for internal network segments. As previously stated, NGFWs are really designed as 
network security “Swiss army knives” for network perimeters, offering multiple network security services in a single 
appliance. This means that NGFWs default to rule sets that implicitly allow traffic from sources and destinations 
within a network segment without proper inspection. Unfortunately, this results in a situation where traffic can 
bypass security policies. Enterprises are moving rapidly to simpler and more effective methods for internal network 
segmentation that meet compliance needs while remaining less intrusive than inline NGFWs. 


The Case for Dedicated NGIPSs: More Compelling than Ever in the Enterprise 


NGFWs’ promise of consolidated management and functionality are certainly appealing. When they first arrived a few 
years ago, many enterprise ClSOs jumped at the chance to aggregate multiple network security services into a single 
appliance as a means of reaping numerous financial and operational benefits. 


While many enterprises explored this strategy, few pursued it because NGFW convenience came with too many security 
and organizational limitations and compromises. As a result, ESG sees many organizations reversing their decisions and 
returning to a network security infrastructure that includes perimeter-based NGFWs and dedicated NGIPSs deployed 
behind the firewall and at various other locations on internal networks. 


Why are so many enterprise redeploying dedicated NGIPS? The combination of NGFWs and dedicated NGIPSs can deliver: 


High throughput, low-latency performance needs. Following the adage of “the right tool for the right job,” enterprise 
organizations employ NGFW for L3/L4 firewalling, application controls, and stream-based packet filtering at the 
network perimeter. Most NGFWs can handle this type of standard workload with aplomb, maintaining wire-speed 
performance. Dedicated NGIPSs are then added behind firewalls and on internal networks to improve security 
efficacy for preventing/detecting attacks, protecting high-value applications and servers, fine-tuning controls, and 
capturing valuable network telemetry for security analytics. 


Wide coverage of application- and protocol-based threats. Leading NGIPSs are especially good at protecting business 
critical applications with features like virtual patching, extensive protocol inspection support, and threat intelligence 
integration. 


Separation of duties between security and network operations teams. Dedicated NGIPSs are typically owned and 
operated by security teams, providing a platform they can adjust as necessary without disrupting network operations. 
This can support separation of duties while enhancing overall security efficacy. 


Internal network coverage and segmentation. NGIPSs are often deployed on internal networks to help detect cyber- 
attacks that circumvent perimeter firewalls. For example, cyber-adversaries may employ social engineering and 
phishing attacks to compromise an employee’s laptop when she is travelling. When the user returns to the corporate 
network, NGIPSs can detect suspicious traffic patterns associated with activities like lateral movement and credential 
theft. To decrease the attack surface, NGIPSs can also be used for internal network segmentation. NGIPSs are a good 
fit here as they can easily enforce basic segmentation rules while capturing network telemetry for analysis. And since 
NGIPS isn’t a layer 3 or 4 networking device, it can ease internal network security changes without involving network 
engineering and operations teams. 


In addition to organizational and networking flexibility, CISOs are turning to NGIPS for another important reason: improved 
security. Leading NGIPSs offer features like virtual patching, vulnerability remediation, protocol inspection, integrated 
advanced threat protection, and tight integration with threat intelligence to equate anomalous internal behavior with 
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known cyber-threat campaigns. Given these benefits, many CISOs remain committed to network security featuring NGFW 
and standalone NGIPS. 


Trend Micro TippingPoint NGIPS 


When the subject of NGIPSs is brought up in cybersecurity professional circles, TippingPoint often comes to mind. The 
TippingPoint solution has been active in network security for many years and offers features that deliver: 


High-performance and comprehensive threat protection. Trend Micro offers the TippingPoint family of NGIPS devices 
with inspection throughput up to 100 Gbps, low-latency inspection for core and data center networks coverage. 


Out-of-the-box functionality. Trend Micro offers strong default protection mechanisms. For example, Trend provides 
multiple scanning techniques across over 100 protocols and can work with Trend’s Advanced Threat Protection (ATP) 
appliance to monitor lateral network traffic to detect unknown threats. The TippingPoint solution also has a strong 
reputation for manageability through its Security Management System (SMS) central management and easy 
integration with SIEM, vulnerability scanners, and other security tools. Finally, Trend Micro TippingPoint has gained a 
reputation for its strong security knowledge and customer support. 


Advanced threat prevention. Given the volume and variety of cyber-attacks, many organizations are bolstering the use 
of threat prevention technologies to reduce the network attack surface. Trend Micro TippingPoint aligns with this 
trend with its Digital Vaccine Labs (DVLabs) and its leading Zero Day Initiative bug bounty program. These services can 
help organizations protect critical business applications with proactive discovery of vulnerabilities and virtual 
vulnerability-facing patches to block exploits. 


Synergistic integration with threat intelligence. The TippingPoint NGIPS integrates with threat intelligence to help 
organizations block and investigate suspicious internal traffic that may be indicative of known cyber-attack tactics, 
techniques, and procedures (TTPs) seen “in the wild” on the public Internet. 


Integration with other leading Trend Micro security technologies. Aside from third-party integration, Trend Micro has 
also focused on integrating TippingPoint with its other security technologies such as its cloud-based threat 
intelligence for advanced threat detection. 


The Bigger Truth 


Next-generation firewalls represent the next evolutionary step in firewall innovation by tightly integrating traditional L3/L4 
firewalling capabilities with additional network security services. They are especially useful for applying granular access and 
application controls to internal employee use of cloud-based applications. 


Many enterprise ClSOs truly appreciate the incremental value of NGFWs, but have come to recognize that consolidation 
and integration of various network security services come with costs. NGFWs can hinder network throughput while threat 
prevention/detection capabilities are necessarily reduced to accommodate the limited resources of a single multifunction 
appliance. This may be an unacceptable tradeoff, especially to larger organizations. 


Rather than compromise with a one size-fits-all solution, many CISOs continue to opt for a more comprehensive defense- 
in-depth “layered” approach for network security featuring standalone, best-of-breed NGIPSs and next-generation firewalls 
throughout their network starting from perimeter, which is core to the data center, and extending to their cloud 
infrastructure. By embracing standalone NGIPSs like those from Trend Micro, enterprises can rely on security effectiveness 
not only for threat detection/prevention but also for isolation and remediation in a flexible manner that meets 
organizational and risk management objectives without compromising performance. 
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